@naylence/advanced-security 0.3.7-test.127 → 0.3.7-test.129

package/dist/node/node.cjs

@@ -17,12 +17,12 @@ var factory = require('@naylence/factory');
 var sha256_js = require('@noble/hashes/sha256.js');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.7-test.127
+// Generated from package.json version: 0.3.7-test.129
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.7-test.127';
+const VERSION = '0.3.7-test.129';
 
 const logger$h = runtime.getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
@@ -7457,7 +7457,7 @@ function normalizeSigning(config, explicit) {
     }
     return null;
 }
-function normalizeOptions(config, securitySettings, signing) {
+function normalizeOptions(config, securitySettings, signing, trustStorePem) {
     const caServiceUrl = config.caServiceUrl ?? config.ca_service_url ?? null;
     const cryptoProvider = config.cryptoProvider ?? config.crypto_provider ?? null;
     return {
@@ -7465,6 +7465,7 @@ function normalizeOptions(config, securitySettings, signing) {
         signing,
         caServiceUrl,
         cryptoProvider,
+        trustStorePem,
     };
 }
 class DefaultCertificateManagerFactory extends runtime.CertificateManagerFactory {
@@ -7474,11 +7475,13 @@ class DefaultCertificateManagerFactory extends runtime.CertificateManagerFactory
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(config, securitySettings, signing, ..._factoryArgs) {
+    async create(config, securitySettings, signing, ...factoryArgs) {
         const normalizedConfig = normalizeConfig$1(config);
         const resolvedSecuritySettings = normalizeSecuritySettings(normalizedConfig, securitySettings ?? null);
         const resolvedSigning = normalizeSigning(normalizedConfig, signing ?? null);
-        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning);
+        // Extract trust store PEM resolver from factoryArgs if provided
+        const trustStorePemResolver = factoryArgs[0];
+        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning, trustStorePemResolver ?? null);
         return new DefaultCertificateManager(options);
     }
 }
@@ -7822,22 +7825,55 @@ class HttpBundleProvider {
         if (pins && !pins.includes(hash)) {
             throw new Error("Trust bundle hash mismatch");
         }
+        const bundle = parseBundlePayload(payload, this.url.href);
+        // Version-based updates: if bundle has version field and it increased, allow hash change
+        const isVersionUpgrade = bundle.version !== null && this.version !== null && bundle.version > this.version;
         let expectedHash = pins ? hash : null;
         if (!pins) {
-            if (this.lastKnownHash) {
-                if (this.lastKnownHash !== hash) {
-                    throw new Error("Trust bundle hash changed without pin");
+            if (this.allowTofu) {
+                // TOFU mode: trust on first use, or if version increased
+                if (!this.lastKnownHash || isVersionUpgrade) {
+                    expectedHash = hash;
+                    if (this.lastKnownHash && this.lastKnownHash !== hash && isVersionUpgrade) {
+                        logger.info("trust_bundle_updated_via_version", {
+                            url: this.url.href,
+                            previousVersion: this.version,
+                            newVersion: bundle.version,
+                            previousHash: this.lastKnownHash,
+                            newHash: hash,
+                        });
+                    }
+                }
+                else if (this.lastKnownHash !== hash) {
+                    throw new Error("Trust bundle hash changed without version upgrade");
+                }
+                else {
+                    expectedHash = hash;
                 }
-                expectedHash = hash;
             }
-            else if (this.allowTofu) {
-                expectedHash = hash;
+            else if (this.lastKnownHash) {
+                // No TOFU, no pins: hash must not change once established, unless version increased
+                if (this.lastKnownHash !== hash) {
+                    if (isVersionUpgrade) {
+                        logger.info("trust_bundle_updated_via_version", {
+                            url: this.url.href,
+                            previousVersion: this.version,
+                            newVersion: bundle.version,
+                        });
+                        expectedHash = hash;
+                    }
+                    else {
+                        throw new Error("Trust bundle hash changed without pin or version upgrade");
+                    }
+                }
+                else {
+                    expectedHash = hash;
+                }
             }
             else if (isBrowserEnvironment() && this.enforceBrowserPins) {
                 throw new Error("Browser download without pins or TOFU is blocked");
             }
         }
-        const bundle = parseBundlePayload(payload, this.url.href);
         if (bundle.version !== null && this.version !== null) {
             if (bundle.version < this.version) {
                 throw new Error("Trust bundle downgrade detected");
@@ -9767,7 +9803,7 @@ class DefaultCAService extends CAService {
         if (roots.length === 0) {
             return null;
         }
-        const issuedAt = new Date().toISOString();
+        const issuedAt = computeEarliestIssuance(roots);
         const validUntil = computeEarliestExpiry(roots);
         const version = computeBundleVersion(roots);
         return {
@@ -9821,6 +9857,27 @@ function buildTrustBundleRoots(candidates) {
     }
     return roots;
 }
+function computeEarliestIssuance(roots) {
+    let earliest = null;
+    for (const root of roots) {
+        if (!root.notBefore) {
+            continue;
+        }
+        const timestamp = Date.parse(root.notBefore);
+        if (Number.isNaN(timestamp)) {
+            continue;
+        }
+        if (earliest === null || timestamp < earliest) {
+            earliest = timestamp;
+        }
+    }
+    // If no notBefore found, use earliest expiry as fallback, or current time
+    if (earliest === null) {
+        const earliestExpiry = computeEarliestExpiry(roots);
+        return earliestExpiry ?? new Date().toISOString();
+    }
+    return new Date(earliest).toISOString();
+}
 function computeEarliestExpiry(roots) {
     let earliest = null;
     for (const root of roots) {

package/dist/node/node.mjs

@@ -15,12 +15,12 @@ import { ExtensionManager, Registry, AbstractResourceFactory, createResource, cr
 import { sha256 as sha256$1 } from '@noble/hashes/sha256.js';
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.7-test.127
+// Generated from package.json version: 0.3.7-test.129
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.7-test.127';
+const VERSION = '0.3.7-test.129';
 
 const logger$h = getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
@@ -7455,7 +7455,7 @@ function normalizeSigning(config, explicit) {
     }
     return null;
 }
-function normalizeOptions(config, securitySettings, signing) {
+function normalizeOptions(config, securitySettings, signing, trustStorePem) {
     const caServiceUrl = config.caServiceUrl ?? config.ca_service_url ?? null;
     const cryptoProvider = config.cryptoProvider ?? config.crypto_provider ?? null;
     return {
@@ -7463,6 +7463,7 @@ function normalizeOptions(config, securitySettings, signing) {
         signing,
         caServiceUrl,
         cryptoProvider,
+        trustStorePem,
     };
 }
 class DefaultCertificateManagerFactory extends CertificateManagerFactory {
@@ -7472,11 +7473,13 @@ class DefaultCertificateManagerFactory extends CertificateManagerFactory {
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(config, securitySettings, signing, ..._factoryArgs) {
+    async create(config, securitySettings, signing, ...factoryArgs) {
         const normalizedConfig = normalizeConfig$1(config);
         const resolvedSecuritySettings = normalizeSecuritySettings(normalizedConfig, securitySettings ?? null);
         const resolvedSigning = normalizeSigning(normalizedConfig, signing ?? null);
-        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning);
+        // Extract trust store PEM resolver from factoryArgs if provided
+        const trustStorePemResolver = factoryArgs[0];
+        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning, trustStorePemResolver ?? null);
         return new DefaultCertificateManager(options);
     }
 }
@@ -7820,22 +7823,55 @@ class HttpBundleProvider {
         if (pins && !pins.includes(hash)) {
             throw new Error("Trust bundle hash mismatch");
         }
+        const bundle = parseBundlePayload(payload, this.url.href);
+        // Version-based updates: if bundle has version field and it increased, allow hash change
+        const isVersionUpgrade = bundle.version !== null && this.version !== null && bundle.version > this.version;
         let expectedHash = pins ? hash : null;
         if (!pins) {
-            if (this.lastKnownHash) {
-                if (this.lastKnownHash !== hash) {
-                    throw new Error("Trust bundle hash changed without pin");
+            if (this.allowTofu) {
+                // TOFU mode: trust on first use, or if version increased
+                if (!this.lastKnownHash || isVersionUpgrade) {
+                    expectedHash = hash;
+                    if (this.lastKnownHash && this.lastKnownHash !== hash && isVersionUpgrade) {
+                        logger.info("trust_bundle_updated_via_version", {
+                            url: this.url.href,
+                            previousVersion: this.version,
+                            newVersion: bundle.version,
+                            previousHash: this.lastKnownHash,
+                            newHash: hash,
+                        });
+                    }
+                }
+                else if (this.lastKnownHash !== hash) {
+                    throw new Error("Trust bundle hash changed without version upgrade");
+                }
+                else {
+                    expectedHash = hash;
                 }
-                expectedHash = hash;
             }
-            else if (this.allowTofu) {
-                expectedHash = hash;
+            else if (this.lastKnownHash) {
+                // No TOFU, no pins: hash must not change once established, unless version increased
+                if (this.lastKnownHash !== hash) {
+                    if (isVersionUpgrade) {
+                        logger.info("trust_bundle_updated_via_version", {
+                            url: this.url.href,
+                            previousVersion: this.version,
+                            newVersion: bundle.version,
+                        });
+                        expectedHash = hash;
+                    }
+                    else {
+                        throw new Error("Trust bundle hash changed without pin or version upgrade");
+                    }
+                }
+                else {
+                    expectedHash = hash;
+                }
             }
             else if (isBrowserEnvironment() && this.enforceBrowserPins) {
                 throw new Error("Browser download without pins or TOFU is blocked");
             }
         }
-        const bundle = parseBundlePayload(payload, this.url.href);
         if (bundle.version !== null && this.version !== null) {
             if (bundle.version < this.version) {
                 throw new Error("Trust bundle downgrade detected");
@@ -9765,7 +9801,7 @@ class DefaultCAService extends CAService {
         if (roots.length === 0) {
             return null;
         }
-        const issuedAt = new Date().toISOString();
+        const issuedAt = computeEarliestIssuance(roots);
         const validUntil = computeEarliestExpiry(roots);
         const version = computeBundleVersion(roots);
         return {
@@ -9819,6 +9855,27 @@ function buildTrustBundleRoots(candidates) {
     }
     return roots;
 }
+function computeEarliestIssuance(roots) {
+    let earliest = null;
+    for (const root of roots) {
+        if (!root.notBefore) {
+            continue;
+        }
+        const timestamp = Date.parse(root.notBefore);
+        if (Number.isNaN(timestamp)) {
+            continue;
+        }
+        if (earliest === null || timestamp < earliest) {
+            earliest = timestamp;
+        }
+    }
+    // If no notBefore found, use earliest expiry as fallback, or current time
+    if (earliest === null) {
+        const earliestExpiry = computeEarliestExpiry(roots);
+        return earliestExpiry ?? new Date().toISOString();
+    }
+    return new Date(earliest).toISOString();
+}
 function computeEarliestExpiry(roots) {
     let earliest = null;
     for (const root of roots) {

package/dist/types/naylence/fame/security/cert/default-certificate-manager-factory.d.ts

@@ -17,7 +17,7 @@ export declare class DefaultCertificateManagerFactory extends CertificateManager
     readonly type = "DefaultCertificateManager";
     readonly isDefault = true;
     readonly priority = 100;
-    create(config?: DefaultCertificateManagerConfig | Record<string, unknown> | null, securitySettings?: SecuritySettings | null, signing?: SigningConfig | null, ..._factoryArgs: unknown[]): Promise<CertificateManager>;
+    create(config?: DefaultCertificateManagerConfig | Record<string, unknown> | null, securitySettings?: SecuritySettings | null, signing?: SigningConfig | null, ...factoryArgs: unknown[]): Promise<CertificateManager>;
 }
 export default DefaultCertificateManagerFactory;
 //# sourceMappingURL=default-certificate-manager-factory.d.ts.map

package/dist/types/naylence/fame/security/cert/default-certificate-manager-factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default-certificate-manager-factory.d.ts","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/default-certificate-manager-factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAEL,yBAAyB,EAEzB,KAAK,wBAAwB,EAC7B,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACxB,MAAM,mBAAmB,CAAC;AAQ3B,MAAM,WAAW,+BACf,SAAQ,wBAAwB;IAChC,IAAI,EAAE,2BAA2B,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC3C,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC5C,cAAc,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAClC;AAED,eAAO,MAAM,YAAY;;;CAGf,CAAC;AA6EX,qBAAa,gCAAiC,SAAQ,yBAAyB,CAAC,+BAA+B,CAAC;IAC9G,SAAgB,IAAI,+BAA+B;IACnD,SAAgB,SAAS,QAAQ;IACjC,SAAgB,QAAQ,OAAO;IAElB,MAAM,CACjB,MAAM,CAAC,EAAE,+BAA+B,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACzE,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,IAAI,EAC1C,OAAO,CAAC,EAAE,aAAa,GAAG,IAAI,EAC9B,GAAG,YAAY,EAAE,OAAO,EAAE,GACzB,OAAO,CAAC,kBAAkB,CAAC;CAe/B;AAED,eAAe,gCAAgC,CAAC"}
+{"version":3,"file":"default-certificate-manager-factory.d.ts","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/default-certificate-manager-factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAEL,yBAAyB,EAEzB,KAAK,wBAAwB,EAC7B,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACxB,MAAM,mBAAmB,CAAC;AAQ3B,MAAM,WAAW,+BACf,SAAQ,wBAAwB;IAChC,IAAI,EAAE,2BAA2B,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC3C,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC5C,cAAc,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAClC;AAED,eAAO,MAAM,YAAY;;;CAGf,CAAC;AA+EX,qBAAa,gCAAiC,SAAQ,yBAAyB,CAAC,+BAA+B,CAAC;IAC9G,SAAgB,IAAI,+BAA+B;IACnD,SAAgB,SAAS,QAAQ;IACjC,SAAgB,QAAQ,OAAO;IAElB,MAAM,CACjB,MAAM,CAAC,EAAE,+BAA+B,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACzE,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,IAAI,EAC1C,OAAO,CAAC,EAAE,aAAa,GAAG,IAAI,EAC9B,GAAG,WAAW,EAAE,OAAO,EAAE,GACxB,OAAO,CAAC,kBAAkB,CAAC;CAoB/B;AAED,eAAe,gCAAgC,CAAC"}

package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http-bundle-provider.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/cert/trust-store/http-bundle-provider.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EAClB,eAAe,EAChB,MAAM,mBAAmB,CAAC;AAmB3B,MAAM,WAAW,yBAA0B,SAAQ,eAAe;IAChE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,CAAC;CACtC;AA6CD,qBAAa,kBAAmB,YAAW,kBAAkB;IAC3D,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAM;IAC1B,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAC3C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoB;IAC7C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IACpC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAU;IAC7C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAU;IAE5C,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,IAAI,CAAuB;IACnC,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,OAAO,CAAuB;IACtC,OAAO,CAAC,OAAO,CAA8B;IAC7C,OAAO,CAAC,QAAQ,CAAuC;IACvD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAuB;gBAEpB,OAAO,EAAE,yBAAyB;IAiDxC,QAAQ,IAAI,OAAO,CAAC,SAAS,WAAW,EAAE,CAAC;IA+B3C,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IAiBzC,QAAQ,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAOpC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBxC,OAAO,CAAC,gBAAgB;YASV,WAAW;IAkFzB,OAAO,CAAC,eAAe;CAWxB"}
+{"version":3,"file":"http-bundle-provider.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/cert/trust-store/http-bundle-provider.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EAClB,eAAe,EAChB,MAAM,mBAAmB,CAAC;AAmB3B,MAAM,WAAW,yBAA0B,SAAQ,eAAe;IAChE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,CAAC;CACtC;AA6CD,qBAAa,kBAAmB,YAAW,kBAAkB;IAC3D,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAM;IAC1B,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAC3C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoB;IAC7C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IACpC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAU;IAC7C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAU;IAE5C,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,IAAI,CAAuB;IACnC,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,OAAO,CAAuB;IACtC,OAAO,CAAC,OAAO,CAA8B;IAC7C,OAAO,CAAC,QAAQ,CAAuC;IACvD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAuB;gBAEpB,OAAO,EAAE,yBAAyB;IAiDxC,QAAQ,IAAI,OAAO,CAAC,SAAS,WAAW,EAAE,CAAC;IA+B3C,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IAiBzC,QAAQ,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAOpC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBxC,OAAO,CAAC,gBAAgB;YASV,WAAW;IAgHzB,OAAO,CAAC,eAAe;CAWxB"}

package/dist/types/version.d.ts

@@ -2,5 +2,5 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.3.7-test.127";
+export declare const VERSION = "0.3.7-test.129";
 //# sourceMappingURL=version.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/advanced-security",
-  "version": "0.3.7-test.127",
+  "version": "0.3.7-test.129",
   "type": "module",
   "description": "Advanced security utilities for the Naylence Fame runtime implemented in TypeScript.",
   "author": "Naylence Dev <naylencedev@gmail.com>",
@@ -142,7 +142,7 @@
     "prepublishOnly": "npm run build && npm test"
   },
   "dependencies": {
-    "@naylence/runtime": "^0.3.5-test.924",
+    "@naylence/runtime": "^0.3.5-test.925",
     "@noble/ciphers": "^2.0.1",
     "@noble/curves": "^1.4.0",
     "@noble/ed25519": "^2.1.0",